添加acl配置文件
# vim acl.json
{
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache"
}
}
重启consul
# docker restart consul_server
生成初始token
# consul acl bootstrap
AccessorID: edcaacda-b6d0-1954-5939-b5aceaca7c9a
SecretID: 4411f091-a4c9-48e6-0884-1fcb092da1c8
Description: Bootstrap Token (Global Management)
Local: false
Create Time: 2018-12-06 18:03:23.742699239 +0000 UTC
Policies:
00000000-0000-0000-0000-000000000001 - global-management
创建变量环境
# echo 'export CONSUL_HTTP_TOKEN=4411f091-a4c9-48e6-0884-1fcb092da1c8' >>/etc/profile
# source /etc/profile
创建agent token
创建agent策略
# vim agent-policy.hcl
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
此策略将允许注册和访问所有节点,并读取任何服务
# consul acl policy create -name "agent-token" -description "Agent Token Policy" -rules @agent-policy.hcl
ID: 5102b76c-6058-9fe7-82a4-315c353eb7f7
Name: agent-policy
Description: Agent Token Policy
Datacenters:
Rules:
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
创建agent令牌
# consul acl token create -description "Agent Token" -policy-name "agent-token"
AccessorID: 499ab022-27f2-acb8-4e05-5a01fff3b1d1
SecretID: da666809-98ca-0e94-a99c-893c4bf5f9eb
Description: Agent Token
Local: false
Create Time: 2018-10-19 14:23:40.816899 -0400 EDT
Policies:
fcd68580-c566-2bd2-891f-336eadc02357 - agent-token
服务端配置acl
把令牌添加到所有server.hcl
"primary_datacenter": "testkydhuabei2",
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache",
"tokens": {
"agent": "da666809-98ca-0e94-a99c-893c4bf5f9eb"
}
}
重启consul
# docker restart consul_server
检测是否成功
# curl http://127.0.0.1:8500/v1/catalog/nodes -H 'x-consul-token: 4411f091-a4c9-48e6-0884-1fcb092da1c8'
[
{
"Address": "172.20.20.10",
"CreateIndex": 7,
"Datacenter": "kc",
"ID": "881cfb69-2bcd-c2a9-d87c-cb79fc454df9",
"Meta": {
"consul-network-segment": ""
},
"ModifyIndex": 10,
"Node": "fox",
"TaggedAddresses": {
"lan": "172.20.20.10",
"wan": "172.20.20.10"
}
}]
客户端配置acl
把令牌添加到所有client.hcl
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache",
"tokens": {
"agent": "da666809-98ca-0e94-a99c-893c4bf5f9eb"
}
}
重启consul
# docker restart consul_client
service token
服务注册需要配置service token
# vim service.hcl
key_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
# consul acl policy create -name "service-token" -description "Service Token Policy" -rules @service.hcl
# consul acl token create -description "Service Token" -policy-name "service-token"
参考链接:
https://learn.hashicorp.com/consul/security-networking/production-acls
https://www.wqblogs.com/2019/01/23/consul%E9%85%8D%E7%BD%AEacl/
https://kingfree.gitbook.io/consul/day-1-operations/acl-guide